The National Computer Emergency Response Team (NCERT) has issued a high-priority advisory for organizations using Adobe Commerce and Magento Open Source, warning of a newly discovered critical vulnerability tracked as CVE-2025-54236 — dubbed “SessionReaper.”
Rated 9.1 (Critical) on the CVSS scale, the flaw allows unauthenticated attackers to hijack active customer sessions. Experts caution that this could lead to large-scale account takeovers, theft of sensitive data, and even remote code execution under certain conditions.
Technical Overview
According to NCERT, the SessionReaper vulnerability arises from improper input validation within the Commerce REST API, enabling attackers to manipulate session data remotely. The flaw affects multiple configurations, including:
- Adobe Commerce
- Magento Open Source
- B2B Extensions
- Custom Attributes Serializable Module
When exploited, attackers could intercept or impersonate user sessions, escalate privileges, execute arbitrary code, or gain full access to backend systems.
Affected Versions
- Adobe Commerce: up to version 2.4.9-alpha2
- Magento Open Source: up to version 2.4.9-alpha2
Both platforms and their corresponding modules are exposed if not updated to the latest security release.
Why It’s Dangerous
Cybersecurity analysts emphasize that SessionReaper is particularly alarming due to its low attack complexity and lack of authentication requirements. It can be executed remotely, making it easy for attackers to target unpatched systems.
Potential consequences include:
- Mass account hijacking and unauthorized transactions
- Service disruption and operational downtime
- Financial and reputational losses for online businesses
The e-commerce sector, especially platforms handling customer and payment data, remains highly vulnerable if the flaw is left unaddressed.
Recommended Mitigation
NCERT has strongly urged all administrators and developers to implement immediate security measures. The team recommends applying the emergency hotfix (VULN-32437-2-4-X-patch) or upgrading to the latest Adobe release (APSB25-88).
For organizations unable to patch immediately, the following temporary safeguards are advised:
- Restrict REST API access to trusted IP ranges and internal networks
- Deploy Web Application Firewall (WAF) rules to detect and block suspicious payloads
- Continuously monitor system logs for unusual login or session activity
- Rotate credentials and enforce least-privilege permissions for administrative accounts
- Strengthen intrusion detection and endpoint monitoring systems
With cyber threats against e-commerce platforms growing more frequent and sophisticated, the SessionReaper flaw underscores the urgent need for proactive defense measures. Adobe Commerce and Magento Open Source users are advised to prioritize patching and continuously monitor for signs of compromise.
Failure to address this vulnerability promptly could expose thousands of online stores to session hijacking, data theft, and full-scale system compromise. Immediate action is the only reliable safeguard.
